Mobile Threat Blog

Share

Meltdown and Spectre: A Tale of Two Vulnerabilities

Two vulnerabilities, Meltdown and Spectre, were recently announced with much hype, panic, and associated confusion. At a high level the two vulnerabilities are similar, both allowing an attacker access to a device’s memory even when it should be protected. However, the cause, scope, implementation, and mitigation for each are all different. Here we’ll explain the two vulnerabilities and what can be done to protect against them on mobile devices.

Overview

Meltdown and Spectre are vulnerabilities in processors used in most modern computing devices, including desktop computers, phones and tablets, cloud infrastructure hardware, and Internet of Things (IoT) enabled devices. Meltdown was independently discovered by three teams of security researchers and Spectre independently discovered by two researchers. Full details of the vulnerabilities and researcher credit can be found at the Meltdown and Spectre site.

The vulnerabilities are caused by “speculative execution” – to speed up code execution, processors will run future program instructions and store the results in the case they are needed. This happens without checking whether the user is allowed to access the memory needed to run the out-of-order instructions. While an attacker can’t access these results directly, the vulnerabilities can be exploited by side-channel attacks such as timing checks: for example, by attempting to access a value repeatedly, measuring the time it takes can give away the value, even if it is restricted.

The scope of the problem includes not only Intel or AMD processors commonly found in desktop systems, but also a large number of the 100 billion ARM processors produced. Unlike Intel or AMD, ARM chips are not made by a single manufacturer. ARM licenses processor designs, and the company makes money via royalties per chip manufactured instead of actual hardware production. This has opened the door to ARM devices being used everywhere, including on mobile devices. Apple A series processors used in hardware including the iPhone, iPad, and Apple TV, are ARM based.

While the main platform for Android is also ARM, due to the wide variety of device manufacturers, many devices are using processors without speculative execution and as a result are not vulnerable. However, due to platform fragmentation, the security patches made available by Google are not universally available.

Meltdown

Intel x86 and some ARM-based processors are vulnerable to Meltdown, and the exploit is made possible by the way the operating system handles memory allocation. By exploiting Meltdown, an attacker can gain access to protected memory used by the device’s operating system, or any memory on the device. This can be used to look for passwords, cryptographic keys, or other sensitive information.

The Meltdown exploit is the easier of the two to implement, but fortunately, it’s also easier to protect against. By changing the way the device operating system implements memory allocation, the protected memory can be further isolated from users. This method, called Kernel Page-Table Isolation (KPTI), will prevent Meltdown from working. The downside? It works by turning off a way of optimizing the speed of memory access, overall slowing down code execution. The exact performance hit is still being measured and may vary from device to device, but many operating system developers expect it to be 30% or more.

Spectre

Much like how cancer is not a single illness but a collection of diseases that operate with similar methods, Spectre is an entire class of attacks that use the same hardware vulnerability with speculative execution. If malware families are equivalent to diseases, Spectre’s equivalent could be “limitless cell replication” – the way many diseases are harmful, but not the disease itself.

Where Meltdown is a single vulnerability that can be patched (although with cost) in the operating system, Spectre is a fundamental problem with modern processors. Unlike Meltdown, the attack needs to be tailored to a specific program, not the operating system itself.

The end result is that a user can access other programs’ memory by exploiting Spectre, which can have the same results as Meltdown, Heartbleed, or similar memory access exploits: compromise of secret information such as passwords or cryptographic keys.

It’s possible to identify and prevent some common Spectre attacks in software, but to fully fix the problem, it’s possible that we’ll need new hardware designs (and associated hardware) as well. This makes Spectre more like a new tool in every attacker’s toolbox rather than a single piece of malware that can be identified and cleaned – and it’s likely that it will be around for a long time, given the scope of the problem.

Almost every modern processor is vulnerable to Spectre. This includes embedded chips – microprocessors are everywhere. An attacker needs to be able to run code on the processor in order to exploit Spectre, which may make many embedded systems harder to attack.

Recommendations

Patches for modern operating systems exist for Meltdown. On Android and iOS, updating to the most recent security patch (iOS 11.2.1 covers Meltdown, iOS 11.2.2 hardens Safari and WebKit for Spectre, Android Security Update 2018-01-01) will close the Meltdown vulnerability.

Spectre patching is harder. Patches to close some attack vectors are starting to appear, the most notable being browser updates to prevent JavaScript attacks. Appthority recommends keeping all apps up-to-date with security patches. Standard security recommendations also apply here: be cautious with untrusted apps or websites, especially on unpatched devices.

What Next?

Not all is lost. No widespread Spectre attacks have been seen in the wild, and much like any large scale mobile vulnerability (e.g. Stagefright, Broadpwn, Blueborne), it’s unlikely that exploits will turn into a full pandemic.

It is likely that over time, Spectre attacks will be incorporated into attackers’ toolboxes, and may often be targeted at older or embedded devices that cannot be upgraded. But at the same time, research is actively underway into new methods for securing devices. In short, this is the same cat-and-mouse game that is normal in security.